Re: Password Cracking & Consequences

[Theresa M Rowe <rowe () OAKLAND EDU>]

Yes, that's what I was looking for.  Your policy does not
explicitly state the password cracking technique, but you
have had campus discussion on the policy?

For us to create an IT policy here, there's at least 4 rounds
of different committee review and approval.  We'd have to
explicitely state we were going to try to crack passwords, or
the policy would not support the action.

Theresa

---- Original message ----
> Date: Sat, 28 Aug 2004 02:09:37 +1000
> From: Christian Wilson <Christian.Wilson () its monash edu au>
> Subject: Re: [SECURITY] Password Cracking & Consequences
> To: Theresa M Rowe <rowe () oakland edu>
> Cc: SECURITY () LISTSERV EDUCAUSE EDU
>
> Theresa,
>
> On Fri, Aug 27, 2004 at 08:29:17AM -0400, Theresa M Rowe
wrote:
> > I just cannot imagine even trying that in our culture.  I
am
> > surprise that this is being done at some organizations.
Can
> > you share more specifics about the process:
> > What campus involvement did you get prior to making the
> > decision - this couldn't have been just an IT decision.
> > How did you market it?
> > How did your faculty react?
>
> We have an IT Security Policy (everyone I believe can read
it, its located
> at http://www.adm.monash.edu.au/unisec/pol/itec13.html).
>
> Things like cracking passwords/finding security
vulnerabilities and exposing
> such vulnerabilities can be determined from our policy via
the following
> clause:
>
> "10.2 Monitoring will be undertaken routinely by ITS
Authorized Staff in
> the normal course of their duties to maintain technical
security and
> operational efficiency of the system/service. Any
extraordinary action
> taken to monitor IT services must be authorized by the
Executive
> Director, ITS."
>
> So basically issues regarding technical security, the
cracking of usernames
> and passswords would fall under this.
>
> Our IT Security Policy has been approved by the University
IT Policy group,
> so thats how we can justify doing what you are asking.
>
> Perhaps things are different in Australia as opposed to the
US? I don't know?
> I'd be interested in seeing what people on list think about
our policy.
> Hope this helps
> Christian.
> --
> Christian Wilson
> IT Security and Risk Manager, Infrastructure Services
> Information Technology Services, Monash University - Clayton
> Phone: +61 3 990 51187
Theresa Rowe
Assistant Vice President
University Technology Services
www.oakland.edu/uts - the latest news from University Technology Services

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.